Merge branch 'scintill/nixos-mailserver-dkim-bits'

2024-09-22 11:22:50 +05:00 · 2019-08-13 19:56:18 +02:00 · 2019-08-13 19:56:18 +02:00 · ee7bb07f25
commit ee7bb07f25
parent 0bf2bb0b54 f789f7a80c
3 changed files with 19 additions and 0 deletions
--- a/default.nix
+++ b/default.nix
@ -422,6 +422,19 @@ in
      '';
    };

+    dkimKeyBits = mkOption {
+        type = types.int;
+        default = 1024;
+        description = ''
+            How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.
+
+            If you have already deployed a key with a different number of bits than specified
+            here, then you should use a different selector (dkimSelector). In order to get
+            this package to generate a key with the new number of bits, you will either have to
+            change the selector or delete the old key file.
+        '';
+    };
+
    debug = mkOption {
      type = types.bool;
      default = false;
--- a/mail-server/opendkim.nix
+++ b/mail-server/opendkim.nix
@ -33,6 +33,7 @@ let
          then
              ${pkgs.opendkim}/bin/opendkim-genkey -s "${cfg.dkimSelector}" \
                                                   -d "${dom}" \
+                                                   --bits="${toString cfg.dkimKeyBits}" \
                                                   --directory="${cfg.dkimKeyDirectory}"
              mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.private" "${dkim_key}"
              mv "${cfg.dkimKeyDirectory}/${cfg.dkimSelector}.txt" "${dkim_txt}"
--- a/tests/extern.nix
+++ b/tests/extern.nix
@ -38,6 +38,7 @@ import <nixpkgs/nixos/tests/make-test.nix> {
              fqdn = "mail.example.com";
              domains = [ "example.com" "example2.com" ];
              rewriteMessageId = true;
+              dkimKeyBits = 1535;

              loginAccounts = {
                  "user1@example.com" = {
@ -321,6 +322,10 @@ import <nixpkgs/nixos/tests/make-test.nix> {
        $client->succeed("grep 'Received: from mail.example.com' ~/mail/*");
      };

+      subtest "dkim has user-specified size", sub {
+        $server->succeed("openssl rsa -in /var/dkim/example.com.mail.key -text -noout | grep 'Private-Key: (1535 bit)'");
+      };
+
      subtest "dkim singing, multiple domains", sub {
          $client->execute("rm ~/mail/*");
          # send email from user2 to user1